Get notifications!

The Cyber Component In Medical Device Quality Assurance Training

“Cybersecurity is currently one of health care’s largest concerns. The unlawful manipulation of medical devices locally, or more recently remotely, via malware and ransomware attacks, represents an immediate threat to the safety and security of those for whom we provide care. Biomedical Engineering must now consider the impact of the 'Internet of Things' as a growing number of medical devices and systems are electronically integrated, including integration into the medical record.”

Medical devices — whether imaging machines, infusion pumps, lasers, medical ventilators or the plethora of other equipment used for diagnostics or treatment — are central to patient care in every hospital. Ensuring their safe, effective, and efficient use is the responsibility of medical device teams, who every day bring to bear a unique blend of knowledge and skills across clinical and engineering disciplines.

These medical device professionals, found in every hospital, are known by many names; sometimes called EBME (Electrical and BioMedical Engineer), they may alternatively use titles such as medical engineer, biomedical engineer, CBET (Certified Biomedical Equipment Technician) or clinical engineer. Regardless of the exact title, these are the people who support the use of devices by health professionals and aim to simultaneously optimize clinical efficacy, patient and operator safety, care quality, technology innovation, and equipment costs.

These healthcare heroes often also have a leading role in managing device procurement, ensuring that each device and its usage complies with relevant regulations, and that those selfsame devices are properly maintained to manufacturer and best practice specifications. If that weren’t enough, clinical engineers are also tasked with maintaining an accurate and detailed inventory, training users, and knowing to spot and what to do when something is wrong with a medical device.

The role is especially challenging given the breadth of knowledge and skills required, the need to manage a wide range of stakeholders (in most cases clinical staff use the devices while the clinical engineering team are responsible for them), and keep on top of a changing medical device landscape.

For example, most medical devices that involve serious engineering are today designed with network connectivity. This connectivity opens up a whole new frontier of operational considerations and points of potential compromise for clinical engineers to concern themselves with. Yet, only ten years ago, that frontier was totally absent from the occupation.

Clinical Engineering and Cybersecurity

Maintaining a high-level of cybersecurity is difficult for any hospital, but medical devices have their own challenges:

Even a mid-sized hospital has thousands of connected medical devices, and up-to-date device inventories are a rarity. Without possessing a knowledge of inventory and what devices are deployed, what purposes they’re meant to serve, where they’re located, and which staff are authorized to use them, effective cybersecurity is well-nigh impossible.

The medical device industry isn’t a single vendor, single product marketplace. Many manufacturers use their own proprietary communication protocols (or unusual protocol combinations) with unique security implications that, if not properly understood and attuned to, could introduce highly consequential but hard-to-detect vulnerabilities.

Medical devices are often connected to legacy infrastructure that’s been developed over many years, resulting in a patchwork of systems and networks, with complex interdependencies and entangled operational vulnerabilities.

As the primary in-house source of medical device expertise, clinical engineers are expected to know the ins and outs of those devices and avail themselves to any and all barometers for the device’s normal functioning and usage. In 2019, that needs to include some basic cybersecurity training and wherewithal. While that may seem intimidating to someone accustomed to thinking of his/her job as largely mechanical, the truth is that some digital training, tailored to medical device uses, will help you do your job quicker, easier, and better.

An Expanding Training Prerogative for Clinical Engineers

The best source of training for any given specific device is usually the manufacturer, and most now include some level of cyber education in the product training they deliver during initial device deployment, or follow-on refresher courses.

Since, however, manufacturers are themselves somewhat new to the cybersecurity game, it’s a good idea complement manufacturer-provided training with something from a cybersecurity firm specializing in the healthcare space.

Aside from canned curricula, it’s good to develop courses around the specific needs of your hospital, in which case you may look to adapt some of the resources freely provided by Homeland Security, Cyber Aces, or Cybrary, among others.

Cyber Training for Medical Device Users

For healthcare providers, insiders pose a bigger threat than outside actors — providing a case in point for the need to better incorporate cyber hygiene education into medical device user training. A lot of the training undertaken by the clinical engineering team can be condensed and re-packaged for delivery to clinical staff and other users — with a focus on cybersecurity awareness and threat detection.

Staff training needs to cover general cybersecurity protection, such as the basics of password management, how to spot and what to do when encountering malicious websites or emails, social engineering, etcetera. It might seem obvious, but staff needs to understand that clicking on the wrong link can trigger a malicious script that may ultimately compromise the delivery of care.

At the same time, training needs to include harder to spot and device-specific threat awareness. Sometimes subtle changes in device behavior patterns can indicate malfunction or worse — tampering. Accordingly, anyone handling these devices will need to know what to look out for as well as to whom and how to report a suspected problem.

What’s more, it’s often the first place the FDA or other regulators look during an audit. Besides training, other procedures eligible to be updated greater cyber awareness are:

Inventory/asset management: the more detailed the information held for each device, the easier it will be to smartly utilize and manage your available assets. It also makes your efforts to proactively maintain and protect your medical devices a lot more straight forward. For example, a management system that tracks your inventory according to device name and description, physical & logical (e.g. IP address) location, operational status, active software versions, patch statuses, etcetera, makes it much easier to monitor for vulnerabilities and alert managers when intervention is required.

Risk assessment: risk assessments are already an important part of clinical engineering, but the scope of those assessments needs to be extended to cover cyber considerations such as known device vulnerabilities (taken from CVE lists and manufacturer disclosure statements), new vulnerabilities (revealed through pen testing), and latent network or IT infrastructure weaknesses.

Recall management: a data feed updated in real-time with information from manufacturers or regulators about medical devices requiring recall, automatically cross-referenced against devices in use, will help preempt problems.

Performance optimization: monitoring a device’s behavior can provide useful information about possible problems. For example, battery power being consumed at an above normal rate, or irregularities in device performance can indicate or even trigger problems. Performance indicators of these types can be linked to automated alerts sent to the medical device team, allowing them to take prompt action.

Aside from helping prevent attacks on medical devices and ensuring nothing is preventing them from performing as designed, the clinical engineering team can also play an important role in delivering a security-aware culture across the hospital. And if that can be achieved, the entire organization will be a lot better off.